The information security risks and regulatory pressures faced by larger organizations are of a different league to those faced by smaller ones. Both the threats and the vulnerabilities are significantly different and, as a result, larger organizations suffer more security incidents than the average: ISBS 2004, for instance, reported that 94% of large companies had experienced an information security breach, compared to an overall rate of 74%.
The threats, both external and internal, are more significant, and this reflects the perceived depth, quantity and value of the larger organization’s information assets, its reputation and profile, and the number of people interested in targeting it. The 2004 ISBS showed that 91% of larger organizations had suffered one or more malicious incidents, compared to an overall figure of 68%. Threats range from hackers through cyber-criminals, organized crime and activists of one sort or another to spies and cyber-terrorists – all depending on the organization.
Each sector has its own niche criminals: phishers target consumer financial services companies; industrial spies target intellectual property companies; activists target those companies they perceive as having an environmental or social impact of which they disapprove; hackers target those companies whose scalp will bring them the most prestige; and cyber-terrorists target those companies through which they think they can inflict the most damage on the West. Fraudsters target any organizations where they can find a way of siphoning off cash, and probably work from inside.
More people are made redundant by, or fall out with, large organizations, and more contractors have their contracts terminated by large organizations – not proportionally, but in absolute terms, and simply because such large numbers of people are employed by any large organization. There are, therefore, likely to be many more people with a grudge against any one larger organization than there against any smaller one.
Information leaked by a larger company is likely to be more price sensitive than that about a smaller one; details of its strategic plans (including mergers, acquisitions, restructurings, product launches, logistics, procurement, trial results, etc) are likely to have substantially more cash value than similar information from much smaller companies, and insiders are therefore more likely to be tempted to try and profit from such privileged information.
And, of course, for regulators and enforcers, targeting one or two non-compliant larger businesses brings a better return on investment than pursuing a number of smaller ones while, for institutional shareholders, the expectation is that larger organizations will be models of transparent, effective corporate governance and compliance.
Paradoxically, larger organizations often have more vulnerabilities than smaller ones.
Almost all larger organizations have now gone digital: e-mail, employee Internet access and transactional Websites are standard; wireless networking and remote access are being rapidly deployed.
.Larger organizations are more complex: they have multiple divisions and business units (each with its own management and operational ethos, each with sufficient local discretion to take actions that will seriously compromise the parent organization) operating internationally and across multiple jurisdictions, with different products and services and, therefore, different information technology needs.
Large organizations have often been built through a number of acquisitions, each of which brought a slightly different information technology infrastructure (architecture, hardware, operating systems, applications, bespoke software, working practices, culture, values and philosophy) to the party, not all of which has yet been (or is intended to be) successfully integrated into a single, harmonious whole.
While every system has its own vulnerabilities, the complexity of the whole creates another series of super-vulnerabilities. Most large organizations also have one or more legacy systems, which individual units or divisions may depend on, and which are no longer capable of integration into the overall architecture and may no longer be supported by their vendors. They work, though, for the moment.
Their multiple suppliers and volumes of customers all want electronic linkages with the company, and every such linkage is also a point of vulnerability.
Larger companies are more likely to have outsourced significant parts of their operations; every outsourcing contract is a potential vulnerability.
There are more people working in larger organizations; this means that there are more opportunities for someone to err, and for that error to have a negative impact on the availability, confidentiality or integrity of the organization’s information assets. The 2004 ISBS, for instance, identified the fact that 42% of large organizations had experienced an accidental systems failure and data corruption, compared to an overall rate of just 27%.
The impacts on larger businesses are significantly worse than the overall average. According to ISBS 2004, percentages of large organizations, compared to the overall average, for each of the following, was:
Virus infection and software disruption: 68% against 50%
Staff misuse of information systems: 64% against 22%
External intrusions into systems: 39% against 17%
Computer related theft or fraud: 49% against 11%
The total cost of the worst incident, in a larger company, was between £65k and £190k, compared to a range of £7k to £14k overall.
Complex organizations, with diversified or (partially) virtual business models, operating in and across a number of legal jurisdictions, also have more complex regulatory compliance task than smaller ones. While any one regulation (and its related compliance failure) might apply only to a subsidiary national entity, it is the global parent whose reputation is damaged. The more failures, the more damage; in a global marketplace, where information travels at the ‘speed of light’, such failures can have a dramatically destructive effect. Moreover, it’s the larger organizations that are targeted by data thieves and by regulatory ‘enforcers’ looking for a scalp; smaller ones have less valuable information to steal, and prosecuting them doesn’t win headlines or advance a career.
Clearly, information security and information regulatory compliance is an even more serious undertaking for larger organizations than for smaller ones. ISO 27001 provides a structured framework and best practice guidance that helps any large organization tackle the issues in a structured and comprehensive fashion that will demonstrate, to any court, clear intent to meet regulatory compliance requirements.